Group questions..several group memberships to one account. FreeRADIUS Version 2.1.10
Alexander Silveröhrt
Alexander.Silverohrt at itux.se
Fri Apr 12 09:32:44 CEST 2013
Hello,
Never played around with groups using rlm_sql and the default schema..
I am reading what i assume is saying that it should be possible to have several groups to a account and each group should be able to supply that specific groups radgroupreply attributes..
Number 4 below sure sounds like it should get all the accounts groups first and then process them according to priority? Below test shows it only reads the first group? And no matter what priority..
Is that how it should work or what am i missing here?
1.Search the radcheck table for any check attributes specific to the user
2.If check attributes are found, and there's a match, pull the reply items from the radreply table for this user and add them to the reply
3.Group processing then begins if any of the following conditions are met:
◦The user IS NOT found in radcheck
◦The user IS found in radcheck, but the check items don't match
◦The user IS found in radcheck, the check items DO match AND Fall-Through is set in the radreply table
◦The user IS found in radcheck, the check items DO match AND the read_groups directive is set to 'yes'
4.If groups are to be processed for this user, the first thing that is done is the list of groups this user is a member of is pulled from the usergroup table ordered by the priority field. The priority field of the usergroup table allows us to control the order in which groups are processed, so that we can emulate the ordering in the users file. This can be important in many cases.
5.For each group this user is a member of, the corresponding check items are pulled from radgroupcheck table and compared with the request. If there is a match, the reply items for this group are pulled from the radgroupreply table and applied.
6.Processing continues to the next group IF:
◦There was not a match for the last group's check items OR
◦Fall-Through was set in the last group's reply items (The above is exactly the same as in the users file)
7.Finally, if the user has a User-Profile attribute set or the Default Profile option is set in the sql.conf, then steps 4-6 are repeated for the groups that the profile is a member of.
To test it i added som data to
mysql> select * from radcheck;
+----+----------+-----------+----+-------+
| id | username | attribute | op | value |
+----+----------+-----------+----+-------+
| 8 | alex | Password | := | test |
+----+----------+-----------+----+-------+
mysql> select * from radusergroup;
+----------+------------------+----------+
| username | groupname | priority |
+----------+------------------+----------+
| alex | mega-admin-group | 0 |
| alex | cisco_admin | 1 |
+----------+------------------+----------+
mysql> select * from radgroupreply;
+----+------------------+----------------+----+----------------------------------+
| id | groupname | attribute | op | value |
+----+------------------+----------------+----+----------------------------------+
| 1 | mega-admin-group | Reply-Message | = | test-mega-admin-reply-attribute |
| 2 | mega-admin-group | NAS-Identifier | = | test-NAS |
| 3 | cisco_admin | Service-Type | = | NAS-Prompt-User |
| 4 | cisco_admin | cisco-avpair | = | shell:priv-lvl=15 |
+----+------------------+----------------+----+----------------------------------+
5 rows in set (0.00 sec)
root at noc1:/etc/freeradius# radtest -x alex test localhost 1812 testing123
Sending Access-Request of id 69 to 127.0.0.1 port 1812
User-Name = "alex"
User-Password = "test"
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=69, length=63
Reply-Message = "test-mega-admin-reply-attribute"
NAS-Identifier = "test-NAS" < -- Only replies from group mega-admin-group
And freeradius debug is showing it only checked replies from the first group..
rad_recv: Access-Request packet from host 127.0.0.1 port 49061, id=3, length=56
User-Name = "alex"
User-Password = "test"
NAS-IP-Address = 10.173.2.10
NAS-Port = 1812
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
rlm_perl: rlm_perl::Itux DEBUG::Inside authorize Function.
rlm_perl: Added pair User-Name = alex
rlm_perl: Added pair User-Password = test
rlm_perl: Added pair NAS-Port = 1812
rlm_perl: Added pair NAS-IP-Address = 10.173.2.10
++[perl] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "alex", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[sql] expand: %{User-Name} -> alex
[sql] sql_set_user escaped user --> 'alex'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'alex' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'alex' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'alex' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'mega-admin-group' ORDER BY id
[sql] User found in group mega-admin-group
[sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'mega-admin-group' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "test"
[pap] Using clear text password "test"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [alex] (from client localhost port 1812)
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 3 to 127.0.0.1 port 49061
Reply-Message = "test-mega-admin-reply-attribute"
Finished request 10.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 10 ID 3 with timestamp +7141
Ready to process requests.
Thx
Alex
********* DISCLAIMER *********
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure and may include proprietary information. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130412/84c9aeb3/attachment-0001.html>
More information about the Freeradius-Users
mailing list